While there is no evidence from my sites that the email passwords were compromised, assume that your passwords were stolen.
Change your passwords!!
The “plain text” consideration is moot. Even though there is an encryption option, the program would have to decrypt the encrypted password in order to login to the SMTP server – so the hackers could also decode. That said, I check the option to encrypt the password, aware it does little good except for stupid/lazy hackers (i.e. I’m no longer the lowest-hanging fruit).
The way I have mine set up is a bit contorted and I have to stumble around a bit to get it to work. I use G-Suite email, and have to turn on 2FA, set up an app password, (?turn off 2FA,?) send a test email from the server via the app password, approve the security warning from Google (?and then re-enable 2FA).
If you have a dedicated server and only one web site, set up sSMTP on the server and then protect the file that has the password. The only reason to use this plugin is if you need to send email via several different accounts from several different WP installs/multi-sites.
@crdunst, is your issue resolved?
Regards
Well the question wasn’t answered directly, but logically one would assume the password would be saved in plain text so the plugin can connect with the SMTP provider.
We changed the SMTP password with our provider, and went through all websites to update the plugin and change the password in each install, so yes I’ll mark this as resolved.
